Skillset

This article will examine IPSec VPN implementation techniques over an IOS XR platform. Implementing IPSec VPN over an IOS XR involves some new set of rules and commands compared to a traditional Cisco IOS.

This article assumes that you have basic access level knowledge of Cisco IOS XR platform (if not then you can use my previous posts on IOS XR as reference). We will use the following network topology (Fig. 1) for implementing IPSec site-to-site VPN.

Cisco IOS XR supports two types of IPSec deployments:

Software-based IPSec, which uses tunnel-ipsec or a transport entity for local source traffic.

Before starting the technical discussion on IPSec VPN implementations, let’s review some essential IPSec and ISAKMP protocols and algorithms.

Internet Key Exchange (IKE) is mainly used with IPSec protocol to negotiate security associations and authentication of IPSec peers.

IP Security Protocol (IPSec) is an open standard mechanism that offers layer 3 security services by using the negotiation of IKE protocols and algorithms to regulate data confidentiality and integrity of participating peers to protect one or more data flows between them.

RSA signatures and RSA encrypted or Rivest Shamir Adelman (RSA) is used for public key cryptography using signatures.

As you can see in Fig. 3, ESP supports both hash and encryption algorithms while AH supports hash algorithms only.

Steps to Implement IPSec VPN on IOS XR

Step 1.Enable ISAKMP and configure ISAKMP policy

Multiple IKE policies can be designed on an IOS XR device and each policy can have different combinations of parameter values; however, encryption, hash, authentication, and Diffie-Hellman values must be the same on the remote peer.

Design a crypto profile to call ACL and Transform-set. Transform-set defines how traffic matched in ACL will be encrypted. As we have created a transform set with “esp-aes esp-sha-hmac” encryption and hashing algorithms, all matched traffic will be encrypted according to these algorithms. If the defined destination address in ACL is configured as a static route pointing to the SVI, the “reverse-route” must be configured within the crypto profile. This command is optional in site-to-site configurations.

IPSec virtual interface can be configured as either “service-ipsec” or “service-gre”. If mode (in IPSec transformation set) is configured as tunnel then “interface service-ipsec” will be used and if “transport” mode is configured then “interface service-gre” will be configured.

This provides modularity of phase-1 ISAKMP negotiations and maps different ISAKMP parameters to different IPSec tunnels, and different IPSec tunnels to different VPN forwarding and routing (VRF) instances.

After configuring the above steps, you will be able to get secure communication between remote sites. Once you are able to implement IPSec site to site VPN in the IOS XR platform, it would be quite easy for you to implement DMVPN and other VPNs on an IOS XR environment.

I hope this article will bring you closer to the ocean of IOS XR implementations. I will continue to explore the edges of IOS XR technologies but I also want to read your feedback and your Intenseschool.com experience at the comments section.

And don’t forget to share this article on Facebook, Twitter and LinkedIn so that more people can use this exclusive piece of information. Keep reading @ Instanseschool.com and like our Facebook page to get updates on new posts.

References:

Apart from my work experience and knowledge, the following resources helped me a lot to write this exclusive content.

Nitin Vashisht is a Network Engineer and holds Bachelor of Engineering Degree in Information Technology with Five+ years of experience in network engineering, Windows system/server administration. He also holds industry leading professional certifications in Cisco & Microsoft Technology. He always keen to learn new technologies and day to day he tries to make Technology easier so everyone can understand it easily. He is currently working as Senior Technical Trainer cum Network Engineer where he is responsible for delivering high end technological trainings & Solutions to Corporate Clients.

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam